It seems like every day there's news that a new site or service has been hacked. The intruders make off with usernames and passwords, and even if they're encrypted the service forces users to change them. This week it was DreamHost, and last week it was Zappos.

In an email sent out last night, online shoe and clothing store Zappos let customers know that its…
Read more Read more

We're big fans of LastPass, a cross-platform password manager that helps you create and manage secure, unique passwords for every site, but the point of failure is obvious: What happens if someone gets your master password? Here's how you can beef up LastPass by turning a USB flash drive into a key you have to plug in to your computer before you can access your passwords. This way, the next time a service you use has been hacked—even if it's LastPass—you won't worry.

If you're not already using LastPass to generate, maintain, and manage different and unique strong passwords for every site and service you use on the web, it's time to get started. The beauty of LastPass is that it's available for Mac, Windows, Linux, and even mobile devices, and you can choose and remember one strong password and then use that password to manage and access all of your other logins and services on the web. Still, LastPass keeps all of your passwords in the cloud, and while they're as secure as they possibly could be, if someone gets a hold of your LastPass password, you're pretty much screwed, right? Not if you have a spare USB drive with Sesame, a utility that turns your USB key into an actual key needed to unlock your LastPass vault. Once installed and set up, you'll need both your LastPass master password and your key plugged into your Mac, Windows, or Linux PC in order to unlock your vault and access your saved passwords.

LastPass is easy, secure, and works across systems and browsers—it's our favorite password…
Read more Read more

Step Two: Grab a USB Flash Drive and Install Sesame

The next thing you'll need is a USB flash drive. Building on the principle that most secure password is the one you can't remember, your second authentication factor will be a device, not a passkey or code. LastPass offers a tool called Sesame that can turn any USB drive into a second authentication method to use when you need access to your LastPass vault. This way, even if someone obtains your LastPass password, it's useless without the USB drive, and vice versa.

Let's assume you log onto a bunch of different websites; Facebook, Gmail, eBay, PayPal,…
Read more Read more

You already know how to secure your personal belongings, like your wallet or keys, so a USB flash drive like the LaCie key-shaped USB drives that fit right on your keychain shouldn't be a problem to keep safe and secure.

Once you have Sesame downloaded and extracted to your USB drive, here's how to set it up:

Run the Sesame utility on your USB drive, and log in with your LastPass credentials.

Sesame will email you an activation code, required to enable two-factor authentication on your account.

Click the link in your activation email to activate Sesame. (Note: The activation code is only good for 10 minutes.)

After you've activated Sesame, you'll have to log in with both a Sesame passkey and your LastPass credentials whenever you want to access your password vault (more on this in the next section.)

Step Three: Use Your Key to Access Your Password Vault

Going forward, you'll need your USB drive any time you want to access your Lastpass vault, like when a service or site you have an account with gets hacked and you need to change the password, or you reset a password for one of those services.

To access your LastPass vault once you have Sesame enabled, you have two options.

Option One:

Visit LastPass in your browser, and log in with your LastPass credentials.

When you're prompted for a Sesame one-time token, pop in your USB key and run Sesame to generate your token and copy it to the clipboard.

Paste the token into the authentication screen, and click OK to access your password vault.

Option Two:

Insert your USB key and run Sesame.

Check the box for "Launch Browser," and click the "Generate One Time Password" button.

Sesame will generate your token, open your browser and go to LastPass, and pass the token for you. Type in your master password, and click OK to access your vault.

Don't worry, if you lose your Sesame USB key, the key is useless without your LastPass email address and master password. You can always visit your LastPass vault, click the link in the authentication screen to tell LastPass that you no longer have your Sesame device, and confirm via email that you want to deactivate Sesame. Then, you can grab another USB key, reinstall Sesame, re-activate it, and be on your way.

Step Four: Audit Your Passwords and Strengthen Security

Now that your LastPass vault is well protected with two-factor authentication, it's time to tune up the passwords that LastPass is protecting. After all, LastPass won't do you much good if your Amazon password is "password" or if your Google account password is "123456." We've discussed how you can use LastPass to audit and update your passwords, and even how you can make those passwords more secure and easy to use. If you're taking steps to make your LastPass account as hack-proof as possible, you may as well go the extra mile and make your individual passwords as strong as possible as well.

You know how important strong passwords are, but you've got a huge backlog of passwords—some…
Read more Read more

As we mentioned, Sesame is a great tool to make sure that even if LastPass gets hacked, or someone gets a hold of your LastPass master password, they don't have carte-blanche to log in to your LastPass account and grab your credentials to everything else on the web. It doesn't, however, automatically add a second authentication method for all of those services you use, so it's important to make sure those passwords are strong.

Step Five: Consider Secondary Authentication for Other Web Services

In addition to beefing up your LastPass account, you might want to consider activating two-factor authentication for any other web services where it's available. For example, we've discussed how you can—and should—set up two-factor authentication for your Google account, and how you can do the same for your Facebook account as well. Many banks and financial institutions are coming around to offering two-factor authentication before you can get at your financial statements or move your money around, so contact your bank or investment firm to see if that added security is available to you.

For many of us, Facebook is home to a lot of our online communications—including our most private.…
Read more Read more

Step Six: Stay Vigilent

If you've been following along, you should now have LastPass set up with two-factor authentication for your vault, you've audited your passwords and made them stronger and more difficult to crack, and you've activated multi-factor authentication on the services where it's available to you. That all doesn't mean that you can relax and forget about security—you'll still need to quickly change your passwords for any sites or services you use that get hacked, and you'll still need to use different strong passwords for each site or service you use. No password mechanism, web service, or authentication scheme is completely hack-proof. That said, this should help you breathe a little easier.